Slashdot Mirror

← Back to Stories (view on slashdot.org)

AOL's Merlin Compromised?

Posted by CmdrTaco on from the that-would-suck dept.

Neophytus writes "The Inquirer reports that AOL's central customer database, Merlin, may have been been compromised by crackers. This, even though it required 'a user ID, two passwords, and a specialized ID code' to gain access to. That's 35 million user's names, addresses, emails and credit card details - a goldmine for spammers and fraudsters alike. As they they put it, 'AOL can now add another accomplishment to its list: Biggest security disaster in ISP history.' The Register is also running a story explaining why this is not particularly likly, though." Here's the original Wired story.

5 of 239 comments (clear)

  1. Social Engineering more than hacking by peterdaly · · Score: 5, Insightful

    While many of these hacks utilize programming bugs, most hackers are finding it far easier and quicker to get access or information simply by calling the company on the phone. These so-called social engineering tactics involve calling AOL customer support centers and simply asking to have a given user's password reset. Logging in with the new password gives the intruder full access to the account. In a telephone interview, two hackers using the handles Dan and Cam0 explained that security measures (such as verifying the last four digits of a credit card number) can be bypassed by mumbling. A third hacker, using the name hakrobatik, confirmed the mumbling method.

    This article is more about social engineering than about the AOL break in. This is odd, if this were true, I would expect a much different type of artcle to be on the lead edge of the breaking news like this. I don't know if this is true or not, but the Wired article does not really have a whole lot of meat with it.

    -Pete

    --
    Soccer Goal Plans
  2. this happens all the time by mix_master_mike · · Score: 5, Insightful

    Some of you may recall this interview from a while back - I used to be an AOL nerd back in the day and I know a few of the kids mentioned in the articles (and I think cam0 is 15 now?) - anyway.. from what I can recall alot of the 'hackers' (script kiddies, whatever) would simply use extreme social engineering tactics, as these articles explain, to get whatever they wanted. As the amount actual bugs of the systems would dry up (your basic token bugs, invokes, problems with the systems themselves) alot of the 'hackers' would have to figure out other ways to get in.

    Getting past sID - this is not that big of a deal, while it's not that easy to do as long as you con the right person and you get lucky with the timing your all set. Once you have complete access to their internal system you will have no problems getting them to toss you their current number..

    the only non-realistic part of the articles I read were regarding how many attackers utilize programming bugs - there are far fewer now then there used to be..

    --

    mix_master_mike
    vafrous

  3. Not too likely by island_earth · · Score: 5, Insightful

    Neither the Inquirer article nor the Wired article shows any evidence that an actual break-in occurred. Of course an occasional account may have been compromised... big hairy deal. But nobody provided any proof that even a noticeable percentage of the 35 million (active or inactive, whatever) accounts has been touched.

    The Wired article quotes sounded like a bunch of script kiddies, probably with their own AOL accounts, were making things up to sound important. (What? Online sources telling lies to seem cool? No way!) No evidence was provided in either article, and given the obvious safeguards (of which SecurID is a good one) it sounded like so much bull.

    This all sounds like a standard "AOL sux!!!" kind of posting, elevated to seeming respectability by badly-researched articles in the almost-mainstream media.

  4. Oh, wired... by Ravagin · · Score: 5, Insightful

    Please note that all the sources in the article are "hackers." Yet Wired reports it as _fact_ when they have no official confirmation or hard evidence. I guess a publication like Wired doesn't have very strict journalistic standards about news, but still... this is an instance where you use words like "alleged" and "claim."

    --

    Karma: T-rexcellent.

  5. Re:the specialized id code is is securid by Grax · · Score: 5, Insightful

    I understand how SecurID works. My point is that if you have remote control of a machine that is logged in and not disconnected then it doesn't matter how secure SecurID is. It is much the same principle as logging into a machine with your SecurID and then going for coffee.

    I am not claiming at all that the article is actually accurate as it offers no proof and no reliable sources. But, it is theoretically possible to take over a machine where the SecurID has already been entered and cause havoc.

    --
    Coding Blog